The Year DDoS Got Real for Credit Unions

Before 2013, Distributed Denial of Service attacks seemed to many credit union executives as something the other guys worried about. The prevailing attitude was: We’re not on anyone’s radar. We aren’t on anyone’s enemies list. Why worry?

Then came January 2013 when the $1.6 billion University Federal Credit Union in Austin, Texas, and Patelco, the $4 billion Pleasanton, Calif. credit union, both acknowledged they had been knocked offline for some hours. Many big banks were taken down at the same time, in attacks claimed by al Qassam Cyberfighters, an organization that many allege is sponsored by the Iranian government.

A month later, in February, bothinstitutions were taken down another time, again in attacks claimed by al Qassam. Many banks also fell victim a second time. There were also dud DDoS attacks, such as a much-ballyhooed May 7 attack – which saw institutions fearfully running for cover from an attack said to be planned by OpUsa, a hacktivist group affiliated with Anonymous – but it amounted to nothing.

As the year progressed, there were more reports of DDoS used as a diversionary tactic by criminals who sought to distract financial institution security staff with website attacks as they busied themselves perpetrating high-value wire thefts. There have been no such cases publicly linked to credit unions, but there are multiple cases linked to banks.

How many credit unions have been taken down by DDoS? That number is unknown. Patelco and University were named in Internet postings by al Qassam, thus their attacks became public knowledge.

The NCUA, for its part, requires credit unions that have been “significantly affected by DDoS” to notify the NCUA or their state regulators. When asked in October for the number of credit unions that had filed reports, the agency shared data showing two outages. But the regulator did not indicate that it believed that tally to be complete. CUNA Mutual, at the same time, indicated it had no count whatsoever of DDoS outages.

No one really knows how many credit unions were attacked by DDoS in the year but one fact did seem to emerge. “DDoS has become a perennial, it is here to stay in the threats universe,” said Charles Burckmyer, president of Sage Data Security, a firm that claims several hundred financial institutions as clients.

Just what is DDoS? The question is good, because the answer is tough to give. That’s because the format of DDoS shifted dramatically in 2013, said Rodney Joffe, senior technologist at Neustar, an Internet analytics company that also offers DDoS mitigation services.

Early in the year, Joffe recalled, DDoS sought to wipe out victim websites by targeting them with huge volumes of traffic – generally assembled using resources stolen from zombie computer botnets where the machine owners have no clue their devices are digital slaves to criminals. So those targets – such as Patelco and UFCU – went down because they were overwhelmed.

But DDoS attacks and mitigation strategies continually evolve, said Joffe. When one side jigs, the other responds. That showed up as many financial institutions signed up with third-party mitigation companies to provide emergency “pipe” – Internet bandwidth – to be able to deflect volume-based attacks.

So the attackers switched to hitting victims with an avalanche of requests for services that had the effect of using the target computers to in effect tire themselves, noted Stephen Gates, chief security evangelist of Corero Network Security. A classic, for instance, is hitting a financial institution website with many requests for a password reset, probably for non-existent members, but the institution’s computer still is forced to go through so many motions it may become unavailable to genuine users.

Next Page: The Cure

Pierluigi Stella, chief technology officer at security company Network Box USA, elaborated: “The (DDoS criminal’s) query is usually less than 100 bytes; the reply can be tens of thousands; so the hacker gets an amplification factor of 100. For each packet of 100 bytes the hacker sends out, you get hit by 10,000 bytes.” Multiply that by maybe several hundred queries per second and it is easy to see why this attack has proven so successful in 2013, suggested Stella.

The cure, said experts, is to deploy tools that in effect scrub all data as it comes into the system. Bad data is sidelined, authentic data is passed through, and while that is easier to prescribe than it is to implement in practice, experts agreed that DDoS mitigation companies took large strides in 2013 towards building tools that in fact scrubbed incoming data with high success rates.

The bad news: Nobody thinks today’s DDoS format will be tomorrow’s, and no one knows what criminals will unleash in the months ahead. Maybe the jackpot question is, how well protected are credit unions when it comes to fending off DDoS, especially as it morphs into different formats? Have they invested in state-of-the-art protections?

Not very many have made those investments, said multiple experts contacted by Credit Union Times. Few credit unions will discuss their DDoS defenses on the record but off the record some have indicated that their defenses are thin. Many hope that their vendors – for Internet banking or their Internet service provider – have adequate protections in place to keep the credit union itself also protected.

DDoS will remain part of the threats landscape, said multiple experts, mainly because it is effective, it is inexpensive, and it is increasingly easy to deploy. As long as it gets results, criminals will continue to use it, said Joffe.

Nonetheless, he flatly predicted that we will not see more of the al Qassam-style, high-profile attacks that won headlines early in 2013. “Those attacks were politically motivated but they accomplished nothing,” said Joffe.

Other experts agreed, pointing to changes in Iranian politics and a recent thawing in relationships with the United States. The upshot is that the al Qassam attacks may in fact be history, meaning there may not be more days when several dozen financial institutions are taken offline in a brazen show of Internet power.

“But we will see more DDoS because it works,” said Joffe, and he specifically predicted more use of it as a diversion because if a security staff can be distracted for a half-day, that may be ample time for a wire transfer to move money out of the United States and through several hops into a destination country where funds are unlikely to be returned.

Gartner analyst Avivah Litan – one of the experts who first reported the use of DDoS as a diversion – noted in an interview that good policy would be to “slow” wire transfers at times when the institution found itself under a DDoS attack. Her opinion is that simply slowing down transaction speed might sharply reduce losses.

At least until the criminals figure out a new strategy – and that is a big takeaway from the 2013 DDoS saga. “This is an arms race that is no different from any other arm’s race,” said Joffe. “As we add defenses, the criminals alter their attacks and so it goes on.”

The good guys win, said Joffe, by making it expensive for the criminals, such as disrupting their botnet zombie networks. “If we can make it more expensive for them than the rewards they get from their DDoS, we win,” said Joffe.